If you, or your customer, or supplier, falls victim of Business Invoice Fraud, who’s liable?
That’s the question we keep getting asked in relation to impersonation attacks and cyber crime in general. In this post we're going to help to explain this, we'll talk about the risk and the potential liability for you.
Before we start, let us help you understand what Business Invoice Fraud looks like typically.
Business Invoice Fraud
Also known as Mandate Fraud, or Supplier Invoice Fraud - this is where a fraudster poses as one of your suppliers, often they'll inform you that their bank details have changed and provide you with the new banking details for payments to be made to.
But whose going to fall for that? Well let's run through a slightly more sophisticated example, which is becoming commonplace now with Business Invoice Fraud, to take this closer to home, imagine that you're the supplier:
A Cyber Criminal notices that your email protection is weak, so they mount an attack on you.
The cyber criminal uses open source software to legitimately email from your email address to one of your customers. It’s not a lookalike email, it’s your actual email address that they send from (without even compromising/hacking your email server).
The email to the customer, from your email address (written by the cyber criminal), states that you’ve changed your bank. It instructs them to please pay the outstanding and future invoices to these new bank details instead.
The customer, takes this as gospel, as the email has come from your email, so they act accordingly and pay the invoices to the new bank account.
This is the type of attack that is becoming really common. It’s an incredibly powerful and sophisticated attack. What’s more is that it’s so easy to do. If your email authentication hasn’t been setup in a compliant manner, then a cyber criminal doesn’t even need to hack you. They don’t need to
Compromise your password
Or get you to click a link
Or open an attachment
They can literally click a button and send an email from your email account without you even having knowledge of it. Scary I know!
What Protection Is There?
First of all, let’s dispel some myths. Common responses we get are
Our firewall will stop that
Our spam filter won’t allow that
Antivirus will protect against that
We’ll stop you there. None of those things will. All of those things will protect your network and your access/unauthorised access. But you can have the best firewall, spam filter, and antivirus in the world and it wouldn’t make any difference. Because if you’re not compliant with email authentication standards then a hacker doesn’t even need to touch your network or setup to email from your email account. As we said, scary!
Surely We're Protected, Most People Are?
What makes this even scarier is that so many organisations aren’t protected whatsoever. The vast majority of small to medium businesses are lacking in this area. Take this recent evaluation we conducted, we examined the compliance of eighty three businesses that ranged from 5 user businesses to 500 user businesses. How many do you think were compliant with email authentication standards and therefore couldn’t be impersonated?
7 Compliant Businesses - 8%
How staggering is that.! 75 of those organisations, 92% of the snapshot of SMBs we assessed weren't compliant with email authentication standards and could therefore have their email accounts compromised, and potentially fall victim to Business Invoice Fraud.
Who's Liable Then?
So let's roll forward. Hypothesize that you've fallen victim, like the scenario we outlined earlier. Your email was compromised, a cyber criminal impersonated you, told one of your customers that your banking details had changed (emailing from your email account) and they followed suit and paid the outstanding invoices to that fraudulent bank account.
Whose liable in this circumstance, is it:
Your customer - who's willingly paid a bank account without checking its legitimacy
Your Business - as it was your security and email protection that was compromised, which led the customer to paying the wrong bank account
Now we're by no means legal advisors, but we can shed some light on this subject, which is still a slightly grey area.
First and foremost, we're in a position of friction with our customer regardless. Whatever happens from here, your brand and its reputation has been tarnished in some manner, as that customer will be questioning how secure your business is, and whether they can justify working with you in the future to some degree.
Now our hope is that insurance, or our bank may cover this. But unfortunately this won't always be the case, in such circumstance, this could lead to a legal dispute between you and the customer.
What's The Legal Perspective?
Again we're not legal advisors, but it would be well worth reading this article form Norton Rose Fulbright:
We'll paraphrase some of the points for you. There's very little precedent to date, but the case of
London Joint Stock Bank Limited v Macmillan
May push the liability on you as the supplier to your customer, just like the bank in this precedent around cheque fraud.
"Joint Stock Bank v Macmillan - Found that: (i) a customer owes a bank a duty to write cheques taking reasonable care to prevent fraud, and (ii) if, owing to a neglect of this duty, forgery takes place, it is the customer who is liable for the loss"
So the question that might be asked here is have you neglected your duty, and taken reasonable care to prevent fraud? If you haven't put in place sufficient protection for email authentication, then this might be questionable.
Also outlined in the link is the stance the US have taken as they have had some more recent developments such as with the case of
Beau Townsend Ford Lincoln Inc v Don Hinds Ford Inc
"Beau Townsend Ford Lincoln Inc v Don Hinds Ford Inc - a case involving supplier invoice fraud by email, the US District Court held that liability rested with whichever party was in the best position to prevent the fraud"
This makes it that bit more concerning for your liability as a business. It's subjective of course, but if email authentication and compliancy would prevent this type of attack, would it be deemed that you as a business are in the best position to prevent the fraud? That's open to interpretation of course, we'll let you be the judge.
Call To Action
Don't allow this circumstance to happen. Check if you're compliant with email authentication standards with us and remediate as soon as you can. The only winner in the scenarios outlined are the cyber criminals. Lets make their life that bit harder. Even if your insurer or bank covers the fraudulent payment, that brand reputation and effect on your customer will still remain tarnished.
If you'd like to discuss your compliance and remediation required then speak to one of our consultants at EquiTech Group:
Phone - 01604 346 444
Email - info@etg365.co.uk
Commentaires